Skip to main content

AFFiNE CVE-2025-11945

LOW
Cross-site Scripting (XSS) (CWE-79)
2025-10-19 cna@vuldb.com
2.0
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.0 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 29, 2026 - 02:19 vuln.today

DescriptionCVE.org

A vulnerability was identified in toeverything AFFiNE up to 0.24.1. This vulnerability affects unknown code of the component Avatar Upload Image Endpoint. Such manipulation leads to cross site scripting. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Stored cross-site scripting (XSS) in AFFiNE up to version 0.24.1 allows authenticated users to inject malicious scripts via the Avatar Upload Image endpoint, which are executed in the browsers of other users viewing the attacker's profile. The vulnerability requires user interaction (victim must view the malicious avatar) and authenticated access, resulting in limited but confirmed integrity impact. Public exploit code exists; vendor contact attempts yielded no response.

Technical ContextAI

The vulnerability resides in AFFiNE's Avatar Upload Image endpoint, a component that processes user-supplied avatar image data. The root cause is improper input validation or output encoding (CWE-79: Improper Neutralization of Input During Web Page Generation), allowing attacker-controlled data to be stored and later rendered without sanitization in web browsers. This is a stored XSS variant rather than reflected XSS, meaning the malicious payload persists in the application's database and affects multiple victims when they load the attacker's profile or avatar display. The attack vector is network-based but requires prior authentication and user interaction from victims.

Affected ProductsAI

AFFiNE versions up to and including 0.24.1 are affected. The vulnerability specifically impacts the Avatar Upload Image endpoint component. CPE data not provided in available references; affected versions inferred from CVE description range.

RemediationAI

Upgrade AFFiNE to version 0.25.0 or later, which should include sanitization of avatar image uploads. In the interim, implement strict Content Security Policy (CSP) headers to restrict script execution and mitigate XSS impact - specifically, set script-src to 'self' and avoid 'unsafe-inline'. Additionally, perform input validation on avatar uploads at the application layer to reject or sanitize embedded HTML/JavaScript, and consider storing avatars with proper MIME-type enforcement (image-only). If immediate patching is unavailable, restrict avatar upload functionality or disable the feature until a vendor update is released. Note that CSP mitigation does not eliminate the vulnerability but reduces exploitability.

Share

CVE-2025-11945 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy